No prompt for password change for VPN client authenticate using ACS local DB
I'm setting up VPN authentication using ACS 5.1 and ASA 8.0.5. User connects using Cisco VPN client, and is authenticated to Internal users db on ACS. Everything works, except that if "Change password on next login" is checked for a user, the login will fail. The Radius log on ACS says user need to change password. However it didn't prompt for the password change. I know there must be a simple option either in VPN client profile or ini file, or on ASA tunnel group definition. However I tried several options, still couldn't make it work. Does anyone know?
Re: No prompt for password change for VPN client authenticate us
To make it work, MS-CHAPv2 must be selected in allowed protocol under ACS access policy. And under VPN tunnel group, enable password management. However this does't fix the issue in my case. Because all my other users should be using PAP/ASCII, when MS-CHAPv2 enabled, somehow all authentication would be using MS-CHAPv2 and fail. And I can't think of a way to define two different VPN policies to separate these two type of authenticaton requests.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...